CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22007 – Bluetooth: Fix error code in chan_alloc_skb_cb()
https://notcve.org/view.php?id=CVE-2025-22007
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. • https://git.kernel.org/stable/c/6b8d4a6a03144c5996f98db7f8256267b0d72a3a •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22006 – net: ethernet: ti: am65-cpsw: Fix NAPI registration sequence
https://notcve.org/view.php?id=CVE-2025-22006
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: Fix NAPI registration sequence Registering the interrupts for TX or RX DMA Channels prior to registering their respective NAPI callbacks can result in a NULL pointer dereference. This is seen in practice as a random occurrence since it depends on the randomness associated with the generation of traffic by Linux and the reception of traffic from the wire. • https://git.kernel.org/stable/c/82b44cdb0355b5061769ae51909d1c8a1b7f31f2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22005 – ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
https://notcve.org/view.php?id=CVE-2025-22005
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's c... • https://git.kernel.org/stable/c/7dd73168e273938b9e9bb42ca51b0c27d807992b •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22004 – net: atm: fix use after free in lec_send()
https://notcve.org/view.php?id=CVE-2025-22004
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22003 – can: ucan: fix out of bound read in strscpy() source
https://notcve.org/view.php?id=CVE-2025-22003
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternative :)). Let's consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */ When doing: strncpy(d... • https://git.kernel.org/stable/c/7fdaf8966aae476deafe11f9a0067ff588615444 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22002 – netfs: Call `invalidate_cache` only if implemented
https://notcve.org/view.php?id=CVE-2025-22002
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfs: Call `invalidate_cache` only if implemented Many filesystems such as NFS and Ceph do not implement the `invalidate_cache` method. On those filesystems, if writing to the cache (`NETFS_WRITE_TO_CACHE`) fails for some reason, the kernel crashes like this: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 001... • https://git.kernel.org/stable/c/0e0f2dfe880fb19e4b15a7ca468623eb0b4ba586 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22001 – accel/qaic: Fix integer overflow in qaic_validate_req()
https://notcve.org/view.php?id=CVE-2025-22001
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug. • https://git.kernel.org/stable/c/ff13be8303336ead5621712f2c55012d738878b5 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22000 – mm/huge_memory: drop beyond-EOF folios with the right number of refs
https://notcve.org/view.php?id=CVE-2025-22000
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: drop beyond-EOF folios with the right number of refs When an after-split folio is large and needs to be dropped due to EOF, folio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all page cache refs. Otherwise, the folio will not be freed, causing memory leak. This leak would happen on a filesystem with blocksize > page_size and a truncate is performed, where the blocksize makes folios split to >0 order ones, ca... • https://git.kernel.org/stable/c/c010d47f107f609b9f4d6a103b6dfc53889049e9 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21999 – proc: fix UAF in proc_get_inode()
https://notcve.org/view.php?id=CVE-2025-21999
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _befo... • https://git.kernel.org/stable/c/778f3dd5a13c9e1642e0b2efea4b769387a70afa • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21998 – firmware: qcom: uefisecapp: fix efivars registration race
https://notcve.org/view.php?id=CVE-2025-21998
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: fix efivars registration race Since the conversion to using the TZ allocator, the efivars service is registered before the memory pool has been allocated, something which can lead to a NULL-pointer dereference in case of a racing EFI variable access. Make sure that all resources have been set up before registering the efivars. • https://git.kernel.org/stable/c/6612103ec35af6058bb85ab24dae28e119b3c055 •